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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )[3 Responsive to communication(s) filed on 12 October 2004 . 
2a)D This action is FINAL. 2b)^ This action is non-final. 

3) Q Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 1-17 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 7-77 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)E>3 The drawing(s) filed on 20 December 1999 is/are: a)E3 accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 
1 1 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)D Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1 .□ Certified copies of the priority documents have been received. 

2. Q Certified copies of the priority documents have been received in Application No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

1. Claims 1-17 are pending. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1-17 have been considered but are 
moot in view of the new ground(s) of rejection. However, Examiner wishes to note, in 
regards to Applicant's arguments that the Mi reference fails to teach "the first key being 
only known to the content provider", that the knowledge of a key to only the content 
provider is not a property of the key. The limitation "generating a first key known only to 
said content provider" implies the intent of having the key known only to the content 
provider, but does not require it because it is impossible to prove such a limitation. Any 
key may be broken through cryptanalysis or acquired through hacking. Hence, for the 
remainder of this office action, the limitation "known only to said content provider" has 
not been given patentable weight. 

Claim Rejections - 35 USC § 112 

3. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

4. Claims 1, 5, 12, 13, 15, and 16 are rejected under 35 U.S.C. 112, second 
paragraph, as being incomplete for omitting essential elements, such omission 
amounting to a gap between the elements. See MPEP § 2172.01 . The omitted 
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elements are: the sending of the encrypted second key on the client machine to the 
content provider. 



Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claims 1 , 3-5, 7-8, 1 2-1 3, 1 5 and 1 6 are rejected under 35 U.S.C. 1 03(a) as 
being unpatentable over Thomlinson et al US Patent No. 6,389,535 in view of Aziz US 
Patent No. 5,604,803. Thomlinson a system for cryptographic protection of core data 
secrets. Aziz teaches a method for secure remote authentication in a public network. 

7. With regards to claims 1,12, and 15, Thomlinson teaches the generating of a first 
key (Thomlinson, column 9 lines 20-22, master key), the encrypting of a second key 
using the first key and an encryption algorithm (Thomlinson, column 9 lines 20-22, item 
key encrypted by master key), decrypting the second key using the first key when the 
user desires access to data (Thomlinson, column 10 lines 5-13, decrypt item key using 
master key), the storing of an encrypted second key on the client machine (Thomlinson, 
column 9 line 63 - column 10 line 4), and accessing the data using the second key 
(Thomlinson, column 10 lines 15-16). Thomlinson lacks a reference to the use of a one- 
time password. Aziz teaches the use of a one-time password (Aziz, column 6 lines 61- 
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64). At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to utilize Aziz's method of using one-time passwords with Mi's 
access control system because it offers the advantage of reducing the likelihood of an 
unauthorized user gaining access to user passwords (Aziz, column 2 lines 1-13). 

8. With regards to claims 3 and 7, Mi as modified teaches the one-time password 
being a unique user identifier and the one time password being transmitted out of band 
(Aziz, column 2 lines 45-60). 

9. With regards to claims 4 and 8, Thomlinson as modified teaches a second key 
being required in an algorithm that generates a session key used to decrypt data 
(Thomlinson, column 10 lines 11-16). 

10. With regards to claims 5, 13 and 16, Thomlinson teaches everything described 
above, and further teaches the use of a separate user supplied password (Thomlinson, 
column 10 lines 5-9). 

1 1 . Claims 2 and 6 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Thomlinson et al US Patent No. 6,389,535 and Aziz US Patent No. 5,604,803, as 
applied to claims 1,12, and 15 above, and in further view of Mi et al US Patent No. 
6,418,472. 

12. With regards to claims 2 and 6, Thomlinson as modified fails to teach the step of 
transmitting the identity of the client machine to the content provider. Mi teaches the 
step of transmitting the identity of the client machine to the content provider to 



Application/Control Number: 09/468,377 Page 5 

Art Unit: 2134 

authenticate that the user is using the client machine thereby permitted data to be 
accessed only on the client machine (Mi, column 8 lines 32-46). At the time the 
invention was made, it would have been obvious to a person of ordinary skill in the art to 
utilize Mi's method of transmitting a client's identity with Thomlinson as modified 
because it offers the advantage of allowing the identification of a platform or device 
employed by the user prior to granting access to an object (Mi, column 1 line 69 - 
column 2 line 2). 

13. Claims 9, 14, and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Thomlinson et al US Patent No. 6,389 in view of Aziz US Patent No. 5,604,803, 
and Jablon US Patent No. 6,226,383. Jablon describes cryptographic methods for 
remote authentication. 

14. With regards to claims 9, 14, and 17, Thomlinson teaches the generating of a 
first key (Thomlinson, column 9 lines 20-22, master key), the encrypting of a second key 
using the first key and an encryption algorithm (Thomlinson, column 9 lines 20-22, item 
key encrypted by master key), decrypting the second key using the first key when the 
user desires access to data (Thomlinson, column 10 lines 5-13, decrypt item key using 
master key), the storing of an encrypted second key on the client machine (Thomlinson, 
column 9 line 63 - column* 10 line 4), and accessing the data using the second key 
(Thomlinson, column 10 lines 15-16). Thomlinson lacks a reference to the use of a one- 
time password, the sending of g A a to the client machine, generating g A b, encrypting 
g A b, and calculating g A (a*b) as part of the authentication procedure. Aziz teaches the 
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use of a one-time password (Aziz, column 6 lines 61-64). Jablon teaches a procedure 
called Hidden-Password Validation that includes the sending of g A a to the client 
machine (Jablon, column 7 lines 16-23), generating g A b (Jablon, column 7 lines 23-26), 
encrypting g A b (Jablon, column 7 lines 23-26 g A b is exchanged using Diffie-Hellman 
encryption), and calculating g A (a*b) (Jablon, column 7 lines 25-27) as part of the 
authentication procedure. At the time the invention was made, it would have been 
obvious to a person of ordinary skill in the art to utilize Aziz's method of using one-time 
passwords and Jablon's exchange procedures with Thomlinson's system because it 
would offer the advantage of reducing the likelihood of an unauthorized user gaining 
access to user passwords (Aziz, column 2 lines 1-13) and because it would help reduce 
the vulnerability of the password if a host computers password database is exposed 
(Jablon, column 20 lines 17-20). 

15. Claim 10 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Thomlinson et al US Patent No. 6,389,535, Aziz US Patent No. 5,604,803, and Jablon 
US Patent No. 6,226,383, as applied to claim 9 above, and in further view of Mi et al US 
Patent No. 6,418,472. 

16. With regards to claim 10, Thomlinson as modified fails to teach the step of 
transmitting the identity of the client machine to the content provider. Mi teaches the 
step of transmitting the identity of the client machine to the content provider to 
authenticate that the user is using the client machine thereby permitted data to be 
accessed only on the client machine (Mi, column 8 lines 32-46). At the time the 
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invention was made, it would have been obvious to a person of ordinary skill in the art to 
utilize Mi's method of transmitting a client's identity with Thomlinson as modified 
because it offers the advantage of allowing the identification of a platform or device 
employed by the user prior to granting access to an object (Mi, column 1 line 69 - 
column 2 line 2). 



17. Claim 1 1 is rejected under 35 U.S.C. 103(a) as being unpatentable Thomlinson 
et al US Patent No. 6,389,535, Aziz US Patent No. 5,604,803, and Jablon US Patent 

No. 6,226,383 as applied to claim 9 above, and further in view of Schneier Applied 

•/ 

Cryptography . 

18. With regards to claim 1 1 , Thomlinson as modified, lacks a reference to a MAC 
authentication procedure. Schneier describes the one-way hash function termed a 
MAC that is used to verify authenticity (Page 455, Section 18.14). At the time the 
invention was made, it would have been obvious to a person of ordinary skill in the art to 
utilize Schneier's MAC authentication on g a * b to authenticate the server to the client 
because it provides a verification method that is reliant on having the same key. Both 
client and server generate the same key during the authentication procedure so the 
MAC authentication would be an easy way to check authenticity without needing 
security since it is a one-way function (Page 455, Section 18.14). 



Conclusion 
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19. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Andrew L Nalven whose telephone number is 571 272 
3839. The examiner can normally be reached on Monday - Thursday 8-6, Alternate 
Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory Morse can be reached on 571 272 3838. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). A 





